‘Flame’ virus exploiting hole in Microsoft algorithm

A sophisticated piece of malware targeting computers in Iran and other parts of the Middle East spread in part by disguising itself as a piece of Microsoft software, taking advantage of a flaw in one of the company’s older cryptography algorithms.

That’s the word from Microsoft in a blog post published over the weekend. The company has issued a security advisory and released an emergency automatic update designed to stop other online attackers from taking advantage of the same flaw.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

The virus is being cited as the latest example of the rising trend computer warfare, with security guru Eugene Kaspersky viewing it as the type of malware that only a government could create, according to the New York Times.